JavaScript must be enabled in order for you to use Knowledgebase Manager Pro. However, it seems JavaScript is either disabled or not supported by your browser. To use Knowledgebase Manager Pro, enable JavaScript by changing your browser options, then try again.
Learn more.

What is RRL?

RRL, or Response Rate Limiting, is an enhancement to implementations of the DNS protocol that can help mitigate DNS amplification attacks (see KB article AA-00897). In such an attack, the attacker sends high volumes of forged DNS queries to a large number of authoritative DNS servers, using the victim computer's IP address as the source of the request. The victim computer sees huge numbers of replies to questions that it did not ask. The authoritative servers have no way of knowing whether any particular DNS query is real or malicious, but can detect patterns and clusters of queries when they are abused at high volumes. If a goodly number of authoritative servers can all be tricked into sending high-volume replies to the same victim computer, it is quite likely to collapse from overload.

RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which authoritative servers respond to high volumes of malicious queries. The RRL mechanism is part of BIND 9.10, and was available as a software build option in BIND 9.9.4.

The Problem

Any internet protocol based on UDP is suitable for use in a denial-of-service attack, but DNS is especially well suited for such malevolence. There are three reasons:

The User Datagram Protocol, or UDP, which is the norm for DNS traffic, was not designed with source validation in mind. DNS server software such as BIND cannot tell by examining a particular packet whether the source address in that packet is real or fraudulent. An attacker can therefore send DNS queries forged to look like they came from the intended victim, causing the DNS server to send the replies to that victim. This is a "reflected attack".

Most ISPs do not check for forged source addresses in outbound packets. This allows forged-address reflection attacks to be launched from almost anywhere.

Small DNS queries can generate large responses, allowing the attacker to send a lot less traffic than the victim receives, thereby amplifying the attack. For example, an EDNS query for the name isc.org of type ANY is 36 bytes long (not counting the wire headers) and triggers a response that is 3,576 bytes long. By using an authoritative DNS server as an unwitting accomplice, an attacker can achieve a nearly 100-fold increase in the amount of traffic that being directed at the victim and they can conceal the source of the attack as well.

A Solution

If one packet with a forged source address arrives at a DNS server, there is no way for the server to tell it is forged. If hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, there is a very high probability of those packets, as a group, being part of an attack. The RRL software has two parts. It detects patterns in arriving queries, and when it finds a pattern that suggests abuse, it can reduce the rate at which the replies are sent.

The Results

Operators of large authoritative servers have reported huge
reductions in network traffic and server load after enabling RRL.
Additionally, these servers are no longer seen as participating in
abusive network behavior as fewer illegitimate responses are reaching
their intended targets. The impact on legitimate traffic has been minimal.

For more information

KB article AA-00994 outlines how to use the RRL feature in BIND 9.10. As with all BIND features, the complete documentation is in the BIND Administrators' Reference Manual, the ARM. PDF and HTML versions of that manual are part of every release of BIND.

Either the version of named that you're running isn't the one that you most recently built (did it install into the directory you expected it to?), or there was a problem with the ./configure step (you can do a 'make clean' before doing ./configure to make sure that there's no possibility of inheriting an older set of configure options).

You can check the ./configure options that were used to build the version of named that you're running by using the -V option. For example:

After compling 9.9.4 with rate-limit, i noticed entries in rate-limit log file without configuring any rate-limit option in named.conf
So the question is what are the defaults values for rate-limit after compiling ?

While we usually say that rate limiting is not enabled by default, there is one exception to this: the built-in _bind CHAOS class view used for answering version.bind, authors.bind, and other related queries. Does this cover the RRL logging you saw?

Apologies, although the option to enable RRL was included in the README file in the tarball, this step was not clearly explained as necessary in this article. We've updated this article and added a new FAQ to explain this. Please build BIND with --enable-rrl if you wish to use this functionality.

A look at configure --help indicates that the solution is --enable-rrl. This also doesn't show up in the config status that's supposed to show what options are available and what are configured (it seems to be very short on those actually).

Thanks for commenting on this - I've added the specific request that we show whether or not rrl is enabled to an existing ticket (RT #34796) for improving the information provided in the configuration summary.

For future reference, please see https://www.isc.org/downloads/bind/ for information on where to report bugs and request new features.

I configured the "rate-limit" on my server 9.9.3-P2 and got the following error:
"config: error: /etc/named.conf: 52: unknown option 'rate-limit'"
I have found no reference on the RRL "9.9 BIND Administrator Reference Manual"

Apologies - we published this article too hastily, omitting the information that Response Rate Limiting is only available in BIND 9 from version 9.9.4 onwards. We've updated the article to explain this, as well as providing links to the unsupported open source patches that can be used until BIND 9.9.4 is available. (Subscription versions of BIND 9.9.3 already have RRL built-in.)